fix(security): use a more restrictive CSP for untrusted content

2025-06-27 16:36:00 +00:00 · 2025-03-29 19:43:06 -07:00 · 2025-03-29 19:43:06 -07:00 · cb695e653a
commit cb695e653a
parent f57949c9a2
4 changed files with 18 additions and 4 deletions
--- a/internal/http/response/html/html.go
+++ b/internal/http/response/html/html.go
@ -37,7 +37,7 @@ func ServerError(w http.ResponseWriter, r *http.Request, err error) {

 	builder := response.New(w, r)
 	builder.WithStatus(http.StatusInternalServerError)
-	builder.WithHeader("Content-Security-Policy", `sandbox`)
+	builder.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent)
 	builder.WithHeader("Content-Type", "text/html; charset=utf-8")
 	builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store")
 	builder.WithBody(err)
@ -61,7 +61,7 @@ func BadRequest(w http.ResponseWriter, r *http.Request, err error) {

 	builder := response.New(w, r)
 	builder.WithStatus(http.StatusBadRequest)
-	builder.WithHeader("Content-Security-Policy", `sandbox`)
+	builder.WithHeader("Content-Security-Policy", response.ContentSecurityPolicyForUntrustedContent)
 	builder.WithHeader("Content-Type", "text/html; charset=utf-8")
 	builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store")
 	builder.WithBody(err)